Data Processing Agreement
Last updated · 14 May 2026 · UK GDPR Article 28
- ✓When you put your employees' or clients' data into our Service, UK GDPR calls you a "Controller" and us a "Processor". Article 28 says we need a written contract about it. This is that contract.
- ✓It sits alongside our Terms — automatic, no separate signature needed. Enterprise customers can request a counter-signed version.
- ✓It commits us to: process only on your instructions, keep your data secure, tell you fast (within 72 hours) if anything goes wrong, only use trusted subprocessors, and return / delete your data when you leave.
- ✓It commits you to: have a lawful basis to put the data in there in the first place, give your people their own logins, keep the data accurate.
- ✓It covers what happens if you want to audit us — we share independent audit reports rather than enable individual on-site audits at scale.
1. Parties & scope
This Data Processing Agreement ("DPA") forms part of the contract ("Terms") between Site Lynx Group Ltd("Processor", "us") and the customer ("Controller", "you") using the Service. It governs the processing of personal data we carry out on your behalf as your processor.
Where you upload personal data of people who are not parties to the Terms (typically your employees, contractors, or business contacts), you are the Controller and we are the Processor. This DPA sets out how we handle that data on your behalf.
This DPA applies automatically when the Terms apply. No separate signature is required, though enterprise customers can request a counter-signed version.
2. Definitions
Terms in capitals not defined here have the meaning given in the Terms or in UK GDPR.
- UK GDPR
- The UK's retained version of Regulation (EU) 2016/679 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
- Data Protection Laws
- UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any other applicable UK data-protection law.
- Personal Data
- Has the meaning given in UK GDPR. In this DPA, it refers specifically to personal data processed by us on your behalf in connection with the Service.
- Processing
- Has the meaning given in UK GDPR — basically any operation performed on Personal Data.
- Sub-processor
- A third party we engage to process Personal Data on your behalf (cloud host, payment processor, email delivery, etc.).
- Data Subject
- A living person to whom Personal Data relates (typically your employees, clients, or contacts).
3. Nature, purpose & duration of processing
4. Your obligations as Controller
- You confirm you have a lawful basis under UK GDPR to put any Personal Data into the Service.
- You confirm you have given any required notices to Data Subjects about how their data will be processed.
- You will not put special-category Personal Data (health, biometric, etc.) into the Service unless you have a lawful basis specific to that category and have performed any required Data Protection Impact Assessment.
- You will not put data relating to criminal convictions into the Service unless you have a lawful basis under Schedule 1 of the DPA 2018.
- You will give your Users individual logins rather than sharing accounts. Where individual accountability matters (audit logs of who did what), this is your obligation.
- You are responsible for the accuracy of the Personal Data you put into the Service and for keeping it up to date.
5. Our obligations as Processor
In line with Article 28(3) of UK GDPR, we commit to the following.
(a) Processing only on your instructions
We will process Personal Data only on your documented instructions, including with regard to international transfers. Your use of the Service constitutes your instructions; if you need us to process in a way the Service doesn't natively support, contact us first.
If we're legally compelled to process Personal Data outside your instructions (e.g. court order), we'll tell you first unless the law forbids it.
(b) Confidentiality of personnel
Anyone we let access Personal Data is under a binding duty of confidentiality, either contractually or statutorily. Access is restricted to those who need it for the Service.
(c) Security measures (Article 32)
We have technical and organisational measures appropriate to the risk, including:
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
- Logical access controls — role-based, with audit logging
- Multi-factor authentication available on all accounts; required for staff access to production
- Network segmentation, vulnerability scanning, dependency monitoring
- Daily backups with 30-day point-in-time recovery, geographically separated
- Incident-response runbook with on-call rotation
- Annual independent penetration testing once we cross 100 paying customers
- Background checks on staff with access to production data
(d) Sub-processors
You give us general written authorisation to engage Sub-processors to help deliver the Service. Current categories include cloud hosting and database, payment processing, transactional email, error monitoring, AI processing, and customer support tooling.
A current Sub-processor list with names is available on request to info@site-lynx.co.uk. We will give you at least 30 days' notice of any new Sub-processor that processes service-critical Personal Data, by email and an in-app banner.
If you reasonably object to a new Sub-processor on data-protection grounds within that notice period, we will work with you in good faith to resolve. If we can't, you may terminate your subscription without penalty and we'll refund prepaid fees for the unused period.
All Sub-processors are bound by written contracts imposing data-protection obligations no less protective than those in this DPA.
(e) Assistance with Data Subject rights
We'll provide reasonable assistance, considering the nature of the processing, to enable you to respond to requests from Data Subjects exercising their rights under Chapter III of UK GDPR (access, rectification, erasure, restriction, portability, objection, automated decisions).
Most rights are exercisable directly through the Service — Users with appropriate permissions can search, export, edit, and delete records. For anything not directly self-serve, email info@site-lynx.co.uk.
(f) Personal data breaches
We will notify you without undue delay — and in any case within 72 hours — of becoming aware of any Personal Data Breach affecting Personal Data we process on your behalf. The notification will include, to the extent we can:
- Description of the nature of the breach
- Categories and approximate number of Data Subjects + records affected
- Likely consequences
- Measures taken or proposed to address it
- Contact details for further information
We'll assist you in meeting your own Article 33/34 obligations (notifying the ICO and affected Data Subjects). The decision to notify Data Subjects in any case sits with you as Controller.
(g) Assistance with DPIAs & prior consultation
We'll provide reasonable assistance with any Data Protection Impact Assessment you carry out, and with any prior consultation with the ICO under Article 36 — taking into account what information is in our knowledge.
(h) End-of-services data handling
On termination or expiry of the Terms, you choose whether we return all Personal Data or delete it. We default to: 30 days to export, 90 days in cold storage, then deletion within 7 days of the storage period ending.
You can also delete Personal Data during the term — either individual records via the Service or your whole account.
We may retain Personal Data after the term where we have a legal obligation to do so (e.g. financial records under HMRC rules). Any retained data remains subject to this DPA and our Privacy Policy.
(i) Making information available + audits
We'll make available to you the information you reasonably need to demonstrate compliance with our obligations under Article 28.
You may audit our compliance with this DPA. We'll respond to reasonable audit requests in good faith. We may satisfy audit requests by providing recent independent audit reports (e.g. SOC 2, ISO 27001) where they cover the relevant scope, rather than enabling on-site customer audits, because direct customer audits at scale would themselves create a security risk. Enterprise customers may negotiate on-site audit rights in a counter-signed version of this DPA.
Audits are at your cost and must respect reasonable confidentiality and operational constraints. We'll give you the results of our own annual penetration testing on request, subject to a confidentiality undertaking.
6. International transfers
Our primary processing region is the United Kingdom. Where Personal Data is transferred outside the UK, we rely on one of:
- UK adequacy regulations
- The UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK Addendum, between us and the transferee
- Article 49 derogations (limited cases, with notice)
By accepting this DPA, you authorise the transfers necessary to deliver the Service, subject to those safeguards.
7. Liability
Each party's liability for breaches of this DPA is subject to the limitation of liability in section 12 of the Terms. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under UK law (e.g. for fraud, or for fines under UK GDPR where personally liable).
8. Order of precedence
If anything in this DPA conflicts with anything in the Terms, this DPA prevails for matters of personal data processing. For everything else, the Terms prevail.
9. Term & termination
This DPA takes effect on the Effective Date of the Terms and continues for as long as the Terms remain in force, plus any retention period required by law.
On termination of the Terms, the end-of-services data-handling obligations in section 5(h) apply.
10. General
This DPA is governed by the law of England and Wales. Disputes about it are subject to the same dispute-resolution mechanism as the Terms (section 16 of the Terms).
We may update this DPA from time to time. Material changes follow the same 30-day notice + in-app banner process as for the Terms. Non-material changes (clarifications, statutory references) we publish with an updated date.
11. Contact
For any data-protection matter — including exercising rights, notifying us of a breach you suspect on our side, or requesting a counter-signed version of this DPA — write to: